Referencing LDAP/AD attributes in post-auth section
Stefano Pardini
stefanopardini at gmail.com
Wed Aug 3 18:07:26 CEST 2016
I'm sorry for asking such a simple thing but I can't find any
reference for FreeRadius3.
I have been successfully using this functionality in Freeardius2, in
the same manner as reported here:
http://freeradius-users.freeradius.narkive.com/k46qBmbs/referencing-ldap-attributes-in-post-auth
I've created a new ldap module inside mods-available/ldap to extract a
specific ldap attribute (macAddress) from a specific ldap location ad
reported here in rlm_ldap module documentation.
ldap ldap_mac_auth {
server = 'samba4.server.mynet.lan'
identity = 'cn=administrator,cn=Users,dc=ad,dc=mynet,dc=lan'
password = p4ss
base_dn = 'ou=WiFi,ou=Computers,ou=MyNet,dc=ad,dc=mynet,dc=lan'
update {
reply:macAddress := 'macAddress'
}
user {
base_dn = "${..base_dn}"
filter =
"(&(objectClass=computer)(managedBy=%{control:Ldap-UserDn}))"
}
}
Then i'm calling it inside the authorize section of the default server.
authorize {
..
ldap
ldap_mac_auth
..
}
In the post-auth section of the default server i'm applying the
following control.
post-auth {
..
if ( "%{reply:macAddress}" == "%{Calling-Station-Id}" ) {
update reply {
Tunnel-Private-Group-Id := 43
Tunnel-Medium-Type := "IEEE-802"
Tunnel-Type := "VLAN"
}
}
..
}
Inside the dictionary file I've added the reference to that variable.
ATTRIBUTE macAddress 3000 string
During the authentication process I can see the ldap_auth_mac module running.
(2) ldap_mac_auth: EXPAND
(&(objectClass=computer)(managedBy=%{control:Ldap-UserDn}))
(2) ldap_mac_auth: --> (&(objectClass=computer)(managedBy=CN\3dTest
User\2cOU\3dStaff\2cOU\3dUsers\2cOU\3dMyNet\2cDC\3dad\2cDC\3dmynet\2cDC\3dlan))
(2) ldap_mac_auth: Performing search in
"ou=WiFi,ou=Computers,ou=MyNet,dc=ad,dc=mynet,dc=lan" with filter
"(&(objectClass=computer)(managedBy=CN\3dTest
User\2cOU\3dStaff\2cOU\3dUsers\2cOU\3dMyNet\2cDC\3dad\2cDC\3dmynet\2cDC\3dlan))",
scope "sub"
(2) ldap_mac_auth: Waiting for search result...
(2) ldap_mac_auth: User object found at DN
"CN=MyNetbook,OU=WiFi,OU=Computers,OU=MyNet,DC=ad,DC=mynet,DC=lan"
(2) ldap_mac_auth: Processing user attributes
(2) ldap_mac_auth: reply:macAddress := '13-59-F3-A3-94-00'
So, as you see, the macAddress ldap attribute is correctly mapped to
the reply:macAddress variable. But at the end of the process,
executing the post-auth section, this is the result:
(10) post-auth {
(10) if ( "%{reply:macAddress}" == "%{Calling-Station-Id}" ) {
(10) EXPAND %{reply:macAddress}
(10) -->
(10) EXPAND %{Calling-Station-Id}
(10) --> 13-59-F3-A3-94-00
(10) if ( "%{reply:macAddress}" == "%{Calling-Station-Id}" ) -> FALSE
So the variable "reply:macAddress" couldn't correctly expanded.
I'm using FreeRADIUS Version 3.0.12.
Thanks in advance for your help.
More information about the Freeradius-Users
mailing list